On Thu, Apr 23, 2015 at 8:52 PM, Borislav Petkov <b...@alien8.de> wrote:
> On Thu, Apr 23, 2015 at 11:24:14AM -0700, Andy Lutomirski wrote:
>> That nails it. We really do leak segment limits to other tasks on AMD
>> chips. I see at least two questions we should answer before fixing
>> this:
>
> Ok, WTF is going on?! Even this trivial test case causes a Bus Error:
>
> ---
> static unsigned short GDT3(int idx)
> {
> return (idx << 3) | 3;
> }
>
> static void *threadproc(void *ctx)
> {
> printf("Hello world\n");
> return NULL;
> }
>
> int main()
> {
> pthread_t thread;
> if (pthread_create(&thread, 0, threadproc, 0) != 0)
> err(1, "pthread_create");
>
> while (1) {
> usleep(1);
> }
>
> return 0;
> }
> ---
>
> $ make sysret_ss_attrs_32
> gcc -m32 -o sysret_ss_attrs_32 -O2 -g -std=gnu99 -pthread -Wall
> sysret_ss_attrs.c -lrt -ldl
> sysret_ss_attrs.c:23:23: warning: ‘GDT3’ defined but not used
> [-Wunused-function]
> static unsigned short GDT3(int idx)
> ^
> $ taskset -c 0 ./sysret_ss_attrs_32
> Hello world
> Bus error
>
> in dmesg:
>
> [ 583.389368] traps: sysret_ss_attrs[2135] trap stack segment ip:f7784b87
> sp:ffb640c0 error:0
I reproduced it.
I also confirm that the patch fixes it.
In fact, the simplest reproducer is
int main()
{
while (1)
usleep(1);
return 0;
}
- no threads necessary. You only need to do a lot of sysret32's,
and eventually it happens. If you omit -m32, it doesn't happen.
--
vda
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
